Reporter Responsibly Discloses Vulnerability
Missouri Governor Mike Parson threatening legal action Against a reporter and newspaper who found a security vulnerability and responsibly disclosed that social security numbers of teacher and educational staff were exposed and easily accessible.
NS St. Louis Post-Dispatch reports that it has informed the Missouri Department of Elementary and Secondary Education (DESE) that one of its tools is returning HTML pages that contain employee SSNs, potentially endangering the information of more than 100,000 employees. Despite the fact that the outlet waited until the device was removed by the state to publish its story, the reporter has been called a “hacker” by Governor Parson, who he says will involve the county prosecutor and investigators.
According to post dispatch, the tool that contained the vulnerability, was designed to let the public see the credentials of teachers. However, it allegedly included the employee’s SSN in the page he returned – while it did not appear as plain text on screen, krebson security reports that accessing it would be as easy as right-clicking on the page and clicking inspect element or view source.
While the reporter followed standard protocol for disclosing and reporting on the vulnerability, the governor is treating her as if she attacked the site or attempted to access a teacher’s private information for nefarious purposes.
In a press conference, Governor Parson described the reporter’s actions as “decoding the HTML source code”, which it finds suspicious and secret. However, he’s literally describing how viewing a website works – it’s the server’s job to send an HMTL file to your computer so you can view it, and nothing contained in that file is secret. (even if it is not physically visible on your computer screen when viewing that webpage). Governor Parson says Nothing allowed users on DESE’s website To access the SSN data, but it was being provided freely.
You can watch the Governor’s full press conference below.
ledge Missouri contacted DESE to clarify whether the device was publicly accessible or required logging in, but did not immediately receive a response. Of course, having it accessible at all is an issue, even if it’s behind a login.
Missouri’s response is, to put it mildly, the exact opposite of standard practice. Many organizations have bug or security bounties worth hundreds of thousands of dollars, which they will pay to hackers who find and responsibly disclose such flaws. The reason these exist is because they will make your system secure – yes, people will search and find vulnerabilities, but chances are someone was already doing this. With a bug bounty, they’re telling you so you can fix it instead of selling that information on the dark web or using it for personal gain. Obviously, these types of amounts are not appropriate for school districts, which often undercut IT departments due to shrinking budgets, but there are plenty of options between paying large sums of money and threatening legal action.
Governor Parson says the incident could cost the state’s taxpayers $50 million. If a malicious hacker had found a treasure trove of SSNs, it would have been even more costly: The state would still have to fix the system, and it would have teachers who would have solid claims against it if they needed identity protection services.
Governor Parson (with A press release by the Administration Office) clarifies that SSNs were only accessible one at a time – the list of personal information of all employees was not included in the HTML files. but as someone saw the opening scene of Social Networks Knows, it can be trivial for hackers to download all the pages from an application and snatch specific information out of them. Just because the reporter didn’t do it (arguably irresponsible if he did) doesn’t mean it wasn’t possible and doesn’t speak to good security practices.
To be clear: Prosecuting reporters, news outlets, and anyone involved would only put people in Missouri at risk because no one would want to report security flaws found in public systems if the state’s response was sent to law enforcement. Would have been them. Security loopholes like these are extremely unfortunate, but they will inevitably happen. post dispatch reports that DESE was storing student SSNs by an audit in 2015). With public entities and companies, the real test is not whether or not it happens, but how you react to it. Unfortunately, it looks like Governor Parson is failing that test.